ThoughtSpot Spotter Agent Security Risks

Data Engineering Agents thoughtspot.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (7) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3
Critical
Attack Surface
4.8
Medium
Blast Radius
3
Medium
Defense Controls
7
Medium
About The Agent

ThoughtSpot Spotter is a cloud-hosted agentic analytics agent that translates natural language into SQL queries against enterprise data warehouses, returning governed visualizations and insights within a multi-tenant SaaS platform. The runtime connects to external LLM providers for query generation and, with Spotter 3 connectors enabled, extends its reach to Slack, Confluence, Jira, and Snowflake through an MCP-hosted tool layer gated by per-action user approval. All AI features ship disabled by default, requiring three tiers of admin and user privileges before any agentic capability activates.

About the AI Risk Quadrant

Tight Operators placement reflects an agent whose cloud-hosted architecture confines blast radius to data-warehouse reads and controlled connector writes while maintaining meaningful platform-level defenses — SOC 2-attested monitoring, three-tier permission gates, and SQL translation-based input mediation. ThoughtSpot Spotter carries a moderate attack surface elevated by the trifecta floor, since natural language queries from multiple channels reach enterprise analytics data and external LLM providers in every session, but the constrained tool surface and mandatory approval gates limit the practical damage an exploited session can inflict.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risk surface centers on the gap between platform-level security controls and the absence of AI-specific guardrails for prompt filtering and output validation on the documented default.

Key Input Risks
Untrusted natural language queries reach the reasoning loop from the web UI, REST API, MCP protocol, and embedded analytics without a dedicated prompt shield. The SQL translation layer intercepts LLM-generated queries before warehouse execution but does not filter adversarial input at the prompt stage; operators should deploy a proxy-layer injection classifier upstream of the LLM endpoint. [7][11]
Key Execution Risks
SQL queries execute against connected data warehouses through ThoughtSpot's query translation layer, which enforces row-level and column-level security by default. SQL passthrough functions, when enabled by an admin, bypass this enforcement and allow direct SQL execution against the underlying database without ThoughtSpot-mediated validation. [2][7]
Key Action Risks
MCP connector tool calls to Slack, Jira, and Confluence require per-action user approval, but the approval prompt offers a time-limited allow that persists across subsequent invocations within the window, reducing the friction that makes the gate effective. Operators enabling connectors should restrict write-capable tools to the minimum user set and disable Slack Send Message for general users. [9][10]
Key Output Risks
Spotter responses containing enterprise analytics data, visualizations, and query results lack documented data-loss prevention or credential redaction controls. Audit logs capture security events but explicitly exclude customer data, user prompts, and query results from the logging pipeline. [7][12]
Key Monitoring Risks
Security audit events reach SIEM servers via push integration or REST API pull, with a 30-day retention window and SOC 2 Type II attestation covering the monitoring controls. Spotter-specific activity — the prompts users submit and the analytics results returned — falls outside the audited event stream, creating an observability gap for prompt-level abuse detection. [12][8]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. ThoughtSpot Spotter lands in the lower risk bands with meaningful vendor-shipped controls offsetting a moderate attack surface elevated by the trifecta condition.

AIRQ Metrics

The agent sits in the lower-left quadrant where a constrained blast radius pairs with platform-level defenses that cover execution isolation, action approval, and monitoring while leaving input filtering and output validation as operator-managed gaps.

The score pattern shows an agent whose constrained data-query scope limits damage potential while vendor-shipped permission gates and monitoring partially compensate for the absence of prompt-level input filtering and output validation.

Metric Score Comments
AIRQ Score 3 Platform-level defenses partially offset the trifecta-elevated attack surface, placing the composite score in the moderate band.
Blast Radius 3 / 10 Blast radius stays low because the agent executes mediated SQL through a query translation layer and controlled connector writes rather than shell commands or infrastructure mutations.
Attack Surface 4.8 / 10 All three trifecta conditions are met, which floors the attack surface score despite individually moderate per-surface bands.
Defense Controls 7 / 15 Vendor-shipped controls cover execution isolation, action gates, and monitoring; input filtering and output validation remain absent at the documented default.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The primary exposures are the multi-channel natural language input path that feeds enterprise warehouse queries and the MCP connector layer that bridges Spotter to external collaboration tools, with class-level text-to-SQL research demonstrating viable attack patterns against this architecture. [3][4]

Attack Surface Metrics

Most surfaces land in the moderate band, with output processing and configuration scoring lower due to the controlled SaaS delivery model and admin-gated feature activation.

Each row maps a single attack surface to its score and the vendor-documented architectural condition that justifies the band placement.

Surface Score Comments
User Input 2 / 4 Multiple input channels — web UI, REST API, MCP, and embedded analytics — carry natural language queries through a SQL translation layer that mediates LLM output but lacks a dedicated prompt shield. [7][11]
External Data 2 / 4 Spotter 3 ingests unstructured content from Slack conversations, Confluence pages, and Jira tickets through admin-enabled MCP connectors alongside structured warehouse data governed by row-level and column-level security. [10][15]
Memory 2 / 4 Opt-in chat history persists across sessions when enabled by an admin, query results cache for up to one hour in Spotter 3 Advanced Analysis, and coaching data accrues as admin-managed business-term definitions. [7][9]
Reasoning 2 / 4 Spotter 3 Research mode performs iterative chain-of-thought reasoning constrained to data analytics scope, with visible search tokens and formula explanations exposing each reasoning step to the user. [7][13]
Planning 2 / 4 Research mode decomposes broad analytical prompts into sub-queries that Spotter validates and cross-references within a single user-supervised session, with no autonomous scheduling or background execution. [9][13]
Tool Execution 2 / 4 SQL queries execute through ThoughtSpot's query translation layer enforcing row-level and column-level security, with MCP tool calls gated by per-action user approval; SQL passthrough functions bypass this enforcement when admin-enabled. [2][10]
Orchestration 2 / 4 Multi-step analysis chains run within a single supervised session with no background task spawning, cron scheduling, or daemon mode, limiting the orchestration surface to session-scoped query sequences. [9][13]
Inter-Agent 2 / 4 Spotter 3 acts as an MCP host connecting to external MCP servers, and the ThoughtSpot MCP server exposes analytics tools to external agents like Claude and Gemini, with OAuth-based authentication gating all inter-agent communication. [15][13]
Output Processing 1 / 4 Output consists of data visualizations, charts, and text answers rendered within the ThoughtSpot web UI, with no documented exfiltration blocking or URL sanitization for rich output content. [7]
Configuration 1 / 4 All AI features ship disabled by default, requiring admin enablement at instance, model, and user-privilege tiers before Spotter activates; LLM provider and connector selections are admin-only settings. CVE-2019-12782, a platform-level authorization bypass via pinboard GUID spoofing, predates the AI features and was patched in version 5.1.2. [9][1][20]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. ThoughtSpot Spotter processes user-authored natural language queries alongside enterprise warehouse data and transmits both to external LLM providers and MCP-connected collaboration tools in every active session. [7][10]

Lethal Trifecta · Complete (3 of 3)

ThoughtSpot Spotter exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — User-authored prompts arrive through four documented channels — the cloud application, the developer API, the MCP transport, and embedded analytics widgets — and Spotter 3 connectors pull additional unstructured content from Slack and Confluence into the same reasoning context. [7][10]
  • Sensitive data — Authenticated users access enterprise analytics data from connected warehouses governed by row-level and column-level security, spanning revenue figures, customer transaction records, workforce data, and any schema the warehouse connection exposes at the user's privilege level. [7][9]
  • External egress — Query metadata and natural language prompts transmit to Azure OpenAI and Google Gemini providers over TLS, and MCP connectors can send messages to Slack and create Confluence pages. [7][15]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of a Spotter session reaches the authenticated user's warehouse read scope and, when connectors are enabled, the write scope of approved MCP tools — but not host-level execution or infrastructure controls.

Blast Radius Metrics

No factor reaches the maximum band, and deployment access scores zero because the agent cannot modify infrastructure or publish packages.

Each row ties a blast factor to the specific capability evidence — warehouse query scope, connector write authority, or LLM provider communication channel.

Factor Score Comments
Code execution 1 / 4 SQL queries execute through the ThoughtSpot query translation layer at the authenticated user's warehouse privilege level, with no shell access or arbitrary code execution capability. [7][2]
File system access 1 / 4 Data export is gated by the Can download data privilege, scoping file access to query-result downloads within the ThoughtSpot platform rather than host-level file system reads or writes. [9]
Network access 2 / 4 Outbound network communication is domain-restricted to vendor-assessed LLM providers over TLS and admin-configured MCP connector endpoints, with no unrestricted outbound HTTP capability. [7][15]
Credential access 2 / 4 OAuth tokens for MCP connectors are platform-managed with per-user authentication, and third-party credentials are not stored by ThoughtSpot according to vendor privacy and security documentation. [15][10][16]
Autonomous action 1 / 4 Every MCP tool action requires explicit user approval before execution, with no documented mechanism for fully autonomous or scheduled actions outside a supervised session. [10]
Deployment access 0 / 4 The agent has no capability to deploy infrastructure, modify cloud resources, or publish packages; its action surface terminates at data queries and connector writes. [9]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor ships execution isolation, action approval gates, and SOC 2-attested monitoring as default controls, while input-level prompt filtering and output-level data-loss prevention remain absent from the documented default configuration.

Defense Controls Metrics

Higher scores indicate stronger vendor-shipped safeguards; the inverted coloring highlights that output guardrails carries no vendor-shipped control and input guardrails relies solely on indirect query mediation, making these two components the operator's primary defense gaps.

Each component is scored on what the vendor implements by default, with opt-in controls noted separately as hardening opportunities rather than baseline posture.

Component Score Comments
Input Guardrails 1 / 3 ThoughtSpot converts natural language prompts into its own query language rather than passing raw LLM output to the warehouse, which provides structural resistance to SQL injection but no dedicated prompt shield or adversarial input classifier operates at the prompt stage. [11][7]
Execution Isolation 2 / 3 Cloud-hosted multi-tenant SaaS isolates customer environments with CSA STAR Level 1 self-assessment and Microsoft 365 App Certification, and LLM calls route to vendor-assessed providers with TLS encryption and contractual zero-data-retention. [7][8][17][19]
Action Controls 2 / 3 Three-tier permission model gates Spotter access at instance, model, and user levels, and MCP tool calls require explicit per-action approval with no documented single-step bypass. [9][10]
Output Guardrails 0 / 3 No documented DLP, credential redaction, or exfiltration blocking operates on Spotter output, meaning query results containing PII or financial data can flow unfiltered to MCP connector destinations; audit logs explicitly exclude customer data, prompts, and query results. [7][12]
Monitoring 2 / 3 Security audit events push to SIEM at five-second intervals or pull via REST API with 30-day retention, attested under SOC 2 Type II by KirkpatrickPrice, with a responsible disclosure program accepting vulnerability reports; Spotter prompts and results fall outside the event stream. [12][8][18][14]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize deploying prompt-level input filtering and output validation controls to close the two zero-scored defense gaps that the platform's existing isolation and approval gates do not address.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all Spotter-accessible models to undergo prompt injection testing aligned with industry frameworks before enabling AI features — counters the absence of a default prompt shield on User Input. [5]
  • Configuration Disable SQL passthrough functions in Admin Search and SpotIQ settings to prevent RLS and CLS bypass through direct SQL execution — counters the documented passthrough vulnerability.
  • Engineering Deploy a proxy-layer prompt shield or ML-based injection classifier between the Spotter API and the LLM provider endpoint — counters the lack of input-stage filtering.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Restrict Spotter enablement to models containing non-sensitive data until the organization validates prompt injection resistance — counters the cloud execution trust boundary.
  • Configuration Configure the Bring Your Own LLM Key option to route queries through an organization-controlled LLM endpoint with additional security controls — counters vendor-managed LLM trust.
  • Engineering Run Spotter-connected warehouse accounts with read-only database permissions and a dedicated service principal to prevent any SQL mutation reaching production tables — counters the shared-privilege trust boundary between Spotter and the warehouse.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Establish an organizational policy that MCP connectors may only be enabled for Spotter users who have completed security awareness training covering agentic tool misuse risks — counters connector-mediated action scope. [6]
  • Configuration Limit MCP connector enablement to read-only integrations and disable write-capable tools like Slack Send Message for general users — counters the write scope of approved connectors.
  • Engineering Build a custom MCP proxy that logs and rate-limits all tool invocations before forwarding to external services — counters the lack of tool-call auditing in Spotter logs.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Classify warehouse columns containing PII or financial data and enforce a DLP policy that blocks Spotter from forwarding results from those columns through MCP connectors — counters the absence of output-level data-loss prevention.
  • Configuration Restrict the Can download data privilege to the minimum user set required and audit privilege grants quarterly — counters the unfiltered data export path.
  • Engineering Deploy an output-scanning proxy that redacts sensitive patterns from Spotter responses before they reach connector destinations — counters zero-scored output guardrails.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require Spotter prompt and result logging in a dedicated audit stream separate from platform security events — counters the exclusion of AI activity from standard audit logs. [12]
  • Configuration Configure SIEM push integration and build detection rules for anomalous Spotter query patterns such as repeated schema enumeration or broad data scans — counters the AI observability gap.
  • Engineering Instrument the Spotter API layer with OpenTelemetry tracing to capture prompt-level telemetry for behavioral anomaly detection — counters the absence of prompt-level monitoring.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2019-12782 Authorization bypass via pinboard GUID spoofing in ThoughtSpot 4.4.1-5.1.1 (CVSS 8.1), allowing low-privilege users to corrupt other users pinboards. Patched in 5.1.2.
  2. ThoughtSpot SQL Passthrough RLS Bypass Vendor-documented risk that SQL passthrough functions bypass ThoughtSpot row-level and column-level security enforcement. Admin-disableable via Search and SpotIQ settings.

Selected Research

  1. SecureSQL Evaluating Data Leakage of LLMs as NLIDBs Demonstrates prompt injection and inference attacks against text-to-SQL systems with COT-based auxiliary LLM guardian defense evaluation.
  2. AIA Autoregression-Based Injection Attacks Against Text2SQL Achieves over 70 percent attack success rate including data extraction and deletion on text-to-SQL models.
  3. OWASP Top 10 for LLM Applications Industry framework covering Prompt Injection and Excessive Agency risks applicable to LLM-powered analytics agents.
  4. OWASP Top 10 for Agentic Applications Covers Tool Misuse and Memory and Context Poisoning risks in agentic architectures applicable to MCP-connected analytics agents.

Vendor Documentation

  1. ThoughtSpot Spotter Security Vendor security documentation covering LLM provider assessment, TLS encryption, zero data retention, opt-in AI controls, and permission model for Spotter.
  2. ThoughtSpot Trust Center Security Trust center page documenting SOC 1, SOC 2, SOC 3, ISO 27001, and CSA STAR Level 1 certifications alongside governance and compliance practices.
  3. ThoughtSpot Spotter Enablement Documents the three-tier permission model for Spotter activation, LLM configuration options, and MCP connector enablement.
  4. ThoughtSpot Spotter Connectors Usage Documents MCP tool call permission prompts, connector authentication, and per-action approval controls for Slack, Confluence, Jira, and Snowflake.
  5. ThoughtSpot Sage Security Architecture Vendor blog detailing the SQL translation defense against prompt injection and prompt leak prevention architecture.
  6. ThoughtSpot Audit Logs Documents security audit event collection via SIEM push or REST API pull, event types covering user activities, and 30-day retention policy.
  7. ThoughtSpot Spotter AI APIs Developer documentation for Spotter conversation and answer creation endpoints, streaming response protocol, and data source suggestions.
  8. ThoughtSpot Responsible Disclosure Program Vendor responsible disclosure program accepting vulnerability reports via email, covering RCE, SQL injection, XSS, CSRF, and authorization bypass.
  9. ThoughtSpot Spotter Connectors Integration Documents MCP host capabilities, OAuth and Bearer Token authentication methods, role-based access enforcement, and admin-controlled connector management.
  10. ThoughtSpot Privacy Center Privacy documentation covering GDPR compliance, HIPAA BAA availability, data handling commitments, and sub-processor governance.

Other Sources

  1. CSA STAR Registry ThoughtSpot Cloud Cloud Security Alliance STAR Registry listing confirming ThoughtSpot Cloud self-assessment at Level 1, listed since 2022.
  2. ThoughtSpot SOC 2 Type II Attestation Press release documenting independent SOC 2 Type II audit by KirkpatrickPrice covering security, availability, and confidentiality controls.
  3. Microsoft 365 App Certification for ThoughtSpot Spotter Microsoft 365 certification entry confirming ISO 27001 and CSA STAR compliance, FedRAMP non-compliance for ThoughtSpot Spotter.
  4. NCC Group ThoughtSpot Authorization Bypass Advisory Third-party technical advisory for CVE-2019-12782, detailing the GUID spoofing attack vector and remediation in ThoughtSpot 5.1.2.